Sonntag, 13. Oktober 2013

Ergometer (KETTLER FX1) serial protocol

I have an exercise bicycle ergometer with a serial port which I want to connect to my computer in order to use my own customized and opensource software to monitor data, like rpm, puls and power time and distance and control power.

Protokol

Hardware

On modern computers you will usually find no serial port, so you need an USB<->serial converter. Make sure to buy a good one, which also works on linux systems. According to many web-sources an converter with FTDI chipsets are the best. I bought a digitus usb-serial adaptor for ca. 11.00 EUR.

For a wired connection you need a RS-232 extension cable with a male and female D-sub-9 connector. NOT a Null modem cable! Also a three-wire connection with TxD (pin 3), RxD (pin 2) and GND (pin 5) is sufficient.

In my first step I needed to discover the protocol for ergometer data communication. For this task I used some software serial sniffer and an oscilloscope. Finally I discovered following serial connection specifications:
  • Bitrate: 9600 (According to user Unknown, Kettler World Tours changes it into 57600 when using Software)
  • Data bits: 8
  • Stop bits: 1
  • No handshake


Protocol

The next step is to discover the  protocol.  First of all I found out that it is possible to communicate with ergometer using a normal terminal for example Cutecom on Linux or Hyperterminal on windows sending strings ending with "\r\n" to the ergometer and getting "ERROR\r\n" response. 
Notation: I use a escape sequences \r, \n and \t to describe special characters for carriage return, new line and tab.

Playing with different commands I was unable to get more information, so I decided to use brute-force search methods to get the protocol specification.I wrote a small program which sends all possible strings consisting of one or two ascii symbols from "a" to "z" and ending with "\r\n" until I get a response different from "ERROR".

I was able to retrieve following commands*:
Notation: [request without "\r\n"] -> [response without "\r\n"]. User midway112 found out, that the command work only when used in uppercase. That means,for example, use "CA" instead of "ca".
  • ca -> 041
  • cd -> ACK
  • cm -> ACK
  • cp -> ACK
  • id -> FX1S
  • pd -> 000\t000\t000\t000\t025\t0000\t00:00\t000
  • pe -> 000\t000\t000\t000\t025\t0000\t00:00\t000
  • pt -> 000\t000\t000\t000\t025\t0000\t00:00\t000
  • pw -> 000\t000\t000\t000\t025\t0000\t00:00\t000
  • rd -> [long output]
  • rp -> [long output]
  • st -> 000\t000\t000\t000\t025\t0000\t00:00\t000
  • ve -> 165
  • vs -> 00 
  • PS -> [response unknwon] set speed on treadmil Task9 (Remark from User Eva).
  • PI -> [response unknwon] set titl on treadmil Task9 (Remark from User Eva).
The next part of the hacking was the funniest way of protocol analysis in my life, since it was some kind of circular training:
  1. Make an exercise on ergometer remember the values.
  2. Go to the computer check the output.
  3. Go to the step 1.
Below I will give a more precise explanation for some commands. The precise meaning of each letter is just a wild guess, since I don't have access to the original protocol specs.

Some command can be used with an argument, which is maximal a 3- or 4- digit number. The argument and the command are separated by one blank character. No leading zeros are required. Missing argument considered to be 0 and large arguments are stripped.

In order to use cp, pd, pe, pt and pw commands one must first call cd or cm commands first.
cd: Maybe put the ergometer  into manual mode ? After the call a serial port socket appears on the ergometer screen. 

 cm: Seems to be the same as cd.

cp: Reset (?).

id: Get device type, which in my case is KETTLER FX1.

pd: put distance. The argument is the distance in 0.1km. The values are between 0 and 999.

pt: put time. The argument is a time. The values are between 0 and 9959. First two digits describe minutes last two digits describes seconds. If the number of seconds is greater than 59 it will be reduced to 59

pp: put power. The argument is power in Watt. The values are between 25 and 400 in 5 steps.
The values less than 25 are converted to 25. The values greater than 400 are converted to 400. The values are round down until the becomes multiple of 5.

rp: read programs. Output consists of the ergometer standard programs written as a sequence of 2-digits or 3-digits blocks. The format of each program is [number of minutes] [watt in the first minute] [watt in the second minute ]...

st: It is an important command for monitoring purpose. It can mean "current status" or "current state".
It does not need any arguments and its output consists of 8 fields separated by tab-characters, where each fields means [pulse in Hz][rpm][speed in 0.1 km/h ][distance in 0.1 km][requested power][energy in kJ][time in minutes:seconds][actual power (?)]
The fictional response 088\t072\t324\t009\t150\t0024\t10:02\t140 means:  pulse 88 beats per minute, 72 RPM, speed 32.4 km/h, distance 0.9 km, requested 150 Watt, burned energy 24kJ, time 10 minutes 02 seconds, actual power 140 Watt.

Aknowledgement:

I thank the Unknown, Eva and midway112 for their remakrs and testing.
Eingestellt von um 35 Kommentare:
Abonnieren Posts (Atom)